Building A Comprehensive Approach to Insider Threats

The first thing that business leaders should do about the insider security threat is to take it seriously. Although there is widespread recognition that the threat is very serious, in most sectors there is insufficient follow-through to build the threat-specific plans, organizational structures, and controls to deal with it.

What is needed is a comprehensive approach that addresses and leverages the unique aspects of the insider threat. Technology by itself is not the answer; the critical human dimension of the insider threat must also be addressed.

A comprehensive approach would include the following:

Establishing a threat-aware culture of institutional integrity and personal reliability
Company culture is a product of many factors, but one of the most decisive is the behavior of senior leadership and the values they model. A culture of institutional integrity and personal reliability is conducive to success in almost any enterprise. Factors for achieving this include the following:

  • Create an environment in which self- directed employee actions reflect a high degree of institutional integrity and personal reliability.
  • Articulate clear expectations in an enterprise Acceptable Use Policy governing IT resources. This should be a formal signed agreement between the company and each employee and external party who has access to the enterprise IT resources or facilities.
  • Create a safe environment in which to self-report accidental actions that jeopardize security. Removing the stigma of having inadvertently committed a security violation can help minimize impact and help everyone learn.
  • Provide regular insider threat awareness training as well as realistic phishing training exercises. An organized phishing awareness exercise program can raise the company’s standard of performance in this critical area.
  • Establish a set of institutional values reflecting the desired culture, select leaders based on their adherence to these values, and include demonstration of these values as an item on employee performance assessments.

Building a multi-disciplinary program
Establish an executive committee to manage an integrated multidisciplinary program designed to deter, prevent, detect, and respond to insider threats and to limit their impact.

The program should have the active participation of the functional organizations across the business such as Risk, IT, Cybersecurity, Physical Security, Human Resources, Fraud, and General Counsel, as well as company-specific verticals (manufacturing, operations, etc.).

The program should include the following:

  • Creation and oversight of policies related to the management of insider risk
  • Regularized workflow, processes, and meetings to actively and collectively review threat intelligence, the internal threat landscape, internal indicators of risk, insider events, sponsored activities, and trends from each sub-discipline
  • Implementation and oversight of personnel reliability processes from pre-employment background checks to off-boarding procedures to assess and act upon personnel security risks, behavioral risk indicators, and individual vulnerability to compromise
  • Decision-making authority pertaining to the integration of programs within each vertical, the aggregation of insider risk data across the verticals, and the corporate response to insider events
  • Definition of requirements for employee training and awareness of insider threats and prevention measures.

Building and operating security controls
Many of the security controls that already exist (or should exist) within the enterprise can be effective in detecting, preventing, or mitigating the results of insider threat activity. Key technical controls include the following:

  • Access controls, particularly for privileged users (those with administrative authority)
  • Data protection, including encryption, data loss prevention technology, data backups, and exfiltration monitoring
  • Configuration management and secure configurations
  • Vulnerability and patch management
  • Internal network segmentation

Monitoring and detecting insider behavior
The program should seek to prevent insider attacks by capturing observable indicators of potential activity before insiders act. Intelligence on the insider threat generally comes from within the enterprise through either technical data or behavioral indicators:

Technical:
The most significant sources of cyber-related technical intelligence are the real-time alerts and outputs of security appliances, network- and host-based sensors, and data loss prevention tools, as well as the network – and system-level logs that are generated automatically (if so configured) throughout the enterprise. In most enterprises these sources provide so much data that managing and effectively integrating it with operations become serious challenges. In addition, the volume of data drives a need for storage that can become acute depending on policy decisions regarding what logs are maintained and for how long.

Insider threat-tracking tools in use today, such as data loss prevention, threat intelligence, and security information and event management (SIEM) systems, pinpoint potentially illicit activities by identifying anomalies in a person’s IT resource and data access patterns.

Non-technical:
Unique to the insider threat is the availability of a large amount of relevant non-technical behavioral observables. Integrating operational intelligence information at the intersection of cybersecurity, fraud detection, and physical security can yield critical insights about potential insider threats.

Examples of non-technical cyber data include the following:

  • email behavior: volume, content, and addressees; presence and type of attachments
  • workday activities: patterns of on/off duty time, including weekdays, weekends, and holidays; location
  • job performance: performance reviews, productivity, and time accountability
  • indicators of affiliation: degree of participation in company- sponsored activities; indications of discontent through online behavior and social media usage

Analysis of this type of data through automated and manual processes can identify patterns of behavior that indicate at-risk employees or imminent insider attacks. There may also be value in integrating external threat intelligence for factors that could influence at-risk insiders. It is important that the company’s legal counsel advise the executive committee on informing employees of ongoing monitoring and how the data will be used. Oversight by the executive committee is essential to ensure it is operated within the bounds of policy.